1 files changed, 8 insertions, 8 deletions

diff --git a/app/acf-util/roles-html.lsp b/app/acf-util/roles-html.lsp
index 16e4747..d61e60a 100644
--- a/app/acf-util/roles-html.lsp
+++ b/app/acf-util/roles-html.lsp
@@ -5,17 +5,17 @@
 
 <% ---[[ %>
 <% if view.value.userid then %>
-	<H1>Roles/Permission list for <%= view.value.userid.value %>:</H1>
+	<H1>Roles/Permission list for <%= html.html_escape(view.value.userid.value) %>:</H1>
 <% elseif view.value.role then %>
-	<H1>Permission list for <%= view.value.role.value %>:</H1>
+	<H1>Permission list for <%= html.html_escape(view.value.role.value) %>:</H1>
 <% else %>
 	<H1>Complete permission list:</H1>
 <% end %>
 
 <% if view.value.roles then %>
-	<H2><%= view.value.userid.value %> is valid in these roles</H2>
+	<H2><%= html.html_escape(view.value.userid.value) %> is valid in these roles</H2>
 	<% for a,b in pairs(view.value.roles.value) do
-		print("<li>",b,"</li>")
+		print("<li>",html.html_escape(b),"</li>")
 	end %>
 <% end %>
 <% --]] %>
@@ -23,9 +23,9 @@
 <% ---[[ %>
 <% if view.value.permissions then %>
 	<% if view.value.userid then %>
-		<H2><%= view.value.userid.value %>'s full permissions are</H2>
+		<H2><%= html.html_escape(view.value.userid.value) %>'s full permissions are</H2>
 	<% elseif view.value.role then %>
-		<H2><%= view.value.role.value %>'s full permissions are</H2>
+		<H2><%= html.html_escape(view.value.role.value) %>'s full permissions are</H2>
 	<% end %>
 	<% local controllers = {}
 	   -- It's nice to have it in alphabetical order
@@ -36,7 +36,7 @@
 	   io.write("<TABLE>")
 	   io.write("<TR><TD CLASS='header'>Controller</TD><TD CLASS='header'>Action(s)</TD>")
 	   for x,cont in ipairs(controllers) do
-		print("<TR><TD STYLE='font-weight:bold;'>",cont,"</TD><TD>")
+		print("<TR><TD STYLE='font-weight:bold;'>",html.html_escape(cont),"</TD><TD>")
 		-- Again, alphabetical order
 		local actions = {}
 		for act in pairs(view.value.permissions.value[cont]) do
@@ -44,7 +44,7 @@
 		end
 		table.sort(actions)
 		for y,act in pairs(actions) do
-			print(act)
+			print(html.html_escape(act))
 		end
 		io.write("<TD></TR>")
 	    end